The clickjacking middleware and decorators provide easy-to-use protection
against clickjacking. This type of attack occurs when a malicious site
tricks a user into clicking on a concealed element of another site which they
have loaded in a hidden frame or iframe.

Suppose an online store has a page where a logged in user can click “Buy Now” to
purchase an item. A user has chosen to stay logged into the store all the time
for convenience. An attacker site might create an “I Like Ponies” button on one
of their own pages, and load the store’s page in a transparent iframe such that
the “Buy Now” button is invisibly overlaid on the “I Like Ponies” button. If the
user visits the attacker’s site, clicking “I Like Ponies” will cause an
inadvertent click on the “Buy Now” button and an unknowing purchase of the item.

Modern browsers honor the X-Frame-Options HTTP header that indicates whether
or not a resource is allowed to load within a frame or iframe. If the response
contains the header with a value of SAMEORIGIN then the browser will only
load the resource in a frame if the request originated from the same site. If
the header is set to DENY then the browser will block the resource from
loading in a frame no matter which site made the request.

Django provides a few simple ways to include this header in responses from your
site:

A simple middleware that sets the header in all responses.

A set of view decorators that can be used to override the middleware or to
only set the header for certain views.

This middleware is enabled in the settings file generated by
startproject.

By default, the middleware will set the X-Frame-Options header to
SAMEORIGIN for every outgoing HttpResponse. If you want DENY
instead, set the X_FRAME_OPTIONS setting:

X_FRAME_OPTIONS='DENY'

When using the middleware there may be some views where you do not want the
X-Frame-Options header set. For those cases, you can use a view decorator
that tells the middleware not to set the header:

fromdjango.httpimportHttpResponsefromdjango.views.decorators.clickjackingimportxframe_options_exempt@xframe_options_exemptdefok_to_load_in_a_frame(request):returnHttpResponse("This page is safe to load in a frame on any site.")

To set the X-Frame-Options header on a per view basis, Django provides these
decorators:

fromdjango.httpimportHttpResponsefromdjango.views.decorators.clickjackingimportxframe_options_denyfromdjango.views.decorators.clickjackingimportxframe_options_sameorigin@xframe_options_denydefview_one(request):returnHttpResponse("I won't display in any frame!")@xframe_options_sameorigindefview_two(request):returnHttpResponse("Display in a frame if it's from the same origin as me.")

Note that you can use the decorators in conjunction with the middleware. Use of
a decorator overrides the middleware.